Applies To:

Show Versions

BIG-IP LTM

9.2.2

Release Note:BIG-IP LTM version 9.2.2

Software Release Date: 02/21/2006Updated Date: 02/21/2006

Summary:

This release note documents the version
9.2.2 feature release of BIG-IP® Local Traffic Manager, Load Balancer
Limited, and Application Accelerator. To review the features in this release, see Features in this release. For existing customers, you can apply the software upgrade to systems running BIG-IP version 4.5 PTF-04 through
version 4.5.13, and version 4.6 through version 4.6.4, and to systems running version 9.0 and later. For information about installing the upgrade, please refer to Installing
the software.Note: F5 now offers both feature releases and maintenance releases. For more information on our new release policies, please see New
Versioning Schema for F5 Software Releases.

Warning: This is a feature release, not a maintenance release. Unless you need specific features that are new to this feature release, please upgrade to the latest maintenance release instead.

Supported browsers

The Configuration utility (graphical user interface) supports the following browsers:

Microsoft® Internet ExplorerTM, version 6.X and later

Netscape® NavigatorTM, version 7.1, and other browsers built on the same engine, such as MozillaTM, FirefoxTM, and CaminoTM.

Note that we recommend that you leave the browser cache options at the default settings.

Important: Popup blockers and other browser add-ons or plug-ins may affect the usability of the Configuration utility. If you experience issues with navigation, we recommend that you disable these types of browser plug-ins and add-ons.

Installing the software

There are several installation options to consider before you begin the version 9.2.2 software installation. Before you begin the installation process, you need to determine which installation option is appropriate.

Warning: A valid service contract is required to complete this upgrade.

Warning: You must reactivate the license on the BIG-IP system you intend to upgrade before you begin the upgrade.

Warning: You must turn off mirroring before you attempt to upgrade to version 9.2.2. Mirroring between units with previous versions of the BIG-IP software installed and version 9.2.2 is not supported.

Important: You are prompted to install the software on multiple boot images if the unit supports the multiple boot option. The BIG-IP 1500 (C36), BIG-IP 3400 (C62), BIG-IP 6400 (D63), and BIG-IP 6800 (D68) platforms support this functionality.

Important: You must perform the installation from the management interface (Management) on the BIG-IP system.

Important: You should perform the installation on the standby system in a redundant system. If you are satisfied with the results, failover and apply the upgrade to the other unit in the redundant system.

Verifying the MD5 checksum of the upgrade file

After you download the installation file and the matching MD5 checksum file, and before you perform the installation, we recommend you test the upgrade file. This verifies that you have downloaded a good copy of the upgrade ISO. To run the test, type the following commands, where Upgrade9.x.iso is the name of the upgrade file you downloaded.

md5sum Upgrade9.x.iso

Check the output with the contents of the corresponding MD5 file. If they match, install the file. If they do not match, you should download the file again and repeat the process.

New features and fixes in this release

This release includes the following new features.

8400 platform support
This release includes support for the new 8400 platform.

Global Traffic Manager (GTM)
You now have the option to license the TMOS integrated Global Traffic Manager (GTM). For more information about the Global Traffic Manager, see the Global Traffic Manager release notes.

Link Controller
You now have the option to license the TMOS integrated Link Controller (LC). For more information about the Global Traffic Manager, see the Global Traffic Manager release notes.

Fixes in this release

Using a literal carriage return in a monitor parameter string (CR43128)
The system can now interpret literal carriage returns in monitor strings that are created by pressing the Enter key. If the string you are creating requires a literal carriage return, press the Enter key.

Redundant systems and assigning duplicate IP addresses (CR43330)
If you have a redundant system, and on both units you assign the same IP addresses on the internal and external VLANS, the system generates an error message. This is not a valid configuration.

Using the discard option during the upgrade process (CR44129)
The discard option now handles the boot entry for the discarded installation from the grub.conf file correctly. This means that installations that you have discarded do not appear as options on the grub.conf list at boot time.

HTTP: redirect rewrite and ports (CR45211)
The HTTP redirect rewrite feature now removes the port string from the redirect response if it is the node's port.

HTTP: Support for the CONNECT method (CR45526)
The system now supports the CONNECT method correctly.

L4 connection mirroring and fail-back (CR45480)
L4 connection mirroring now works correctly with the fail-back feature.

Benign error message when network booting from CD image (CR45998)
We have corrected the problem that caused the following benign error message when you boot the BIG-IP system from the CD image:

msg insmod e100: no module by that name found

You no longer see this message.

Forcing speed and duplex settings on the management interface (CR46765)
You can now force the speed and duplex settings on the management interface. Previously, if you tried to force the media settings of the management interface, bigpipe would fail silently.

bigpipe: syntax for adding a pool member (CR47907)
To add a member with a connection limit to an existing pool requires only one command. Use this command syntax to add the member and the connection limit, like this:

b pool poolname member 10.0.0.5:80 limit 5000 add

Configuration utility: Host Name on the Platform screen (CR50443)
The host name is now correctly validated on the Platform screen in the Configuration utility.

SCCP: log files and disk space (CR52506)
We have corrected a problem that could cause the SCCP log files to grow too large and take up disk space.

F5KM: Self-signed certificates missing NULL parameter in signature data (CR52590)
The self-signed certificates generated on the system are now encoded with an RFC-specified NULL parameter value.

End User Diagnostics menu item is available after installing version 9.1 (CR53894)
Installation of version 9.1.1 does not remove the End User Diagnostics (EUD) menu item.

Clone pools are not demoted (CR53948)
Clone pools are now handled correctly with hardware acceleration.

Virtual servers referencing multiple iRules (CR53976)
The system no longer experiences problems when a virtual server references more than one iRule.

Changing rule order or priority on virtual servers (CR54042)
Changing the order of two rules referenced by the same virtual server and reloading the configuration no longer destabilizes the system.

The option, Other External User Role is now synchronized across multiple systems (CR54207)
When you assign a value to the Other External User Role option to one system, that value overwrites the default value on another system if that system has remained with the default value, No access. You no longer have to log into the additional systems and modify the value manually.

Config sync user roles are no longer configurable (CR54267)
A user who is assigned as the ConfigSync user can no longer change their role unless they are unassigned as the ConfigSync user.

Configuration utility: application error on New Profile screen (CR54321)
We have corrected a major application error that occurred when you clicked the Next button on the Create New Profile screen.

Large configurations with several VLANs (CR54799)
When loading a large configuration (such as 257 vlans) on the BIG-IP system, the system no longer generates PVA statistics errors regarding packet deserialization.

OpenSSL update (CR55070)
In response to various security advisories, we have updated the version of OpenSSL to version 9.0.7i.

TMM availability and NULL pool members (CR55251)
The TMM service no longer becomes unavailable due to a pool member being set to NULL.

Escape characters for send and receive strings in monitors (CR55366)
The Monitors chapter of the Configuration Guide for Local Traffic Management now explains how to use escape characters to specify multi-line Send String and Receive String values.

Modification of the StateMirror.^IPaddr bigdb key (CR55483)
The TMM service is no longer adversely affected when you modify the bigdb key StateMirror.^IPaddr.

Reselection of last hop gateway (CR55761)
The BIG-IP system now reselects the correct last hop gateway when a pool member is unavailable.

Enabling and disabling VLAN groups on a virtual server (CR56577)
When configuring the VLAN Traffic setting of a virtual server configuration, if you specify a VLAN group, hardware acceleration now demotes to Assisted mode. A way to avoid this is to separate the VLAN group into its VLAN members, specifying the individual members in the VLAN Traffic setting.

Returned From string and SIP monitor (CR56819)
The SIP monitor now accepts a returned From string regardless of whether the URI is encased in angle brackets (<>) or not.

Monitors: MSSQL monitor and send parameter (CR57045)
You can now use the MSSQL monitor without the send parameter configured.

Features and fixes released in prior releases

The current release includes the features and fixes that were distributed in prior feature releases, as listed below.

Version 9.2.0

Integrated Application Security Module (ASM)
You now have the option to license the TMOS integrated Application Security Module. For more information about the Application Security Module, see the Application Security Module release notes.

520/540 platform support
This release is supported on the 520/540 (D35) platforms.

Statistics Profile
The Statistics profile provides user-defined statistical counters. Each profile contains 32 fields (Field1 through Field32), which define named counters. Using a Tcl-based iRule command, you can use the names to manipulate the counters while processing traffic. For more information, see Chapter 5, Understanding Profiles, in the Configuration Guide for Local Traffic Management.

Optional configuration changes

Once you have installed the software, you can use any of the following configuration options to update your configuration.

Using SNMP read/write OIDs

You can use the following SNMP OIDs in read/write mode. However, SNMP is not intended to be used as a general API for configuring the BIG-IP system. You can use the following SNMP OIDs in read/write mode.

New SNMP OIDs

Using the switchboot utility

Beginning with the version 9.0.2 release, functionality was added to install multiple versions of the BIG-IP software on different boot images on one unit. A boot image is a portion of a drive with adequate space required for an installation. If the hardware supports multiple boot images, you are prompted to install the software on multiple boot images during the installation. The BIG-IP 1500 (C36), BIG-IP 3400 (C62), BIG-IP 6400 (D63), BIG-IP 6800 (D68), and BIG-IP 8400 (D84) platforms support this functionality.

The switchboot utility is available to manage installations on different boot images. You can use the switchboot utility from the command line to select which installed image boots. To run the switchboot utility, type the following command:

switchboot

A list of boot images and their descriptions displays. Type the number of the boot image you want to boot at startup. When you reboot the system, it starts from the slot you specify.

If there is only one boot image available, the switchboot utility displays a message similar to this one and exits.

There is only one boot image to choose from: title BIG-IP 9.2.2 Build 167.4 - drive hda.1

Note: Any change you make using the switchboot utility is saved in the boot configuration file, grub.conf.

To use switchboot in non-interactive mode

If you know which boot image you want to boot, you can type the following command and specify the boot image number for <bootimage_number>:switchboot -s <bootimage_number>

To use switchboot to list available boot images and the currently active boot images.

If you want to list the available boot images without specifying a new boot image from which to boot, type the following command:switchboot -l

To list options for switchboot

To list the options for the switchboot utility, type the following command:switchboot -h

To view the contents of the boot configuration file using switchboot

You can view the complete contents of the boot configuration file (grub.conf) with the following command:switchboot -d

This command is slightly different from switchboot -l in that -d only lists the boot image header lines, while -d displays the complete file.

Known issues

The following items are known issues in the current release.

1500, 3400, and 6400 platforms: SSH session remains open after peer unit is rebooted (CR40503)
When you establish an SSH session between two units on the 1500, 3400, or 6400 platforms, and you reboot the unit to which you established the SSH session, the SSH session remains open until it reaches its timeout.

Using trunks on a BIG-IP 2400 (D44) IP Application Switch (CR40507)
On a BIG-IP 2400 platform, if you connect multiple ports to one switch, you may form a bridging loop, which causes the TMM to restart repeatedly. To avoid this issue, enable spanning tree protocol if you connect multiple ports to one switch.

SIP persistence and persist iRule commands (CR40579)
In this release, the persist iRule commands do not support SIP persistence.

Client SSL and Server SSL profiles and time stamps on key or certificate files (CR40677)
The Client SSL and Server SSL profiles currently do not add time stamps to SSL certificate or SSL key files.

When specifying a default route for IPV6, you must specify a destination and netmask (CR40808)
Because the default configuration settings for Network Routes is for IPV4, you must specify both a destination and netmask value to specify a default route for IPV6. To specify a IPV6 default route, you must first choose a type of route instead of default gateway. Then specify the destination as :: and the netmask as :: to set the appropriate IPV6 default route.

OTCU: Displaying monitors saved at pool level in the Configuration utility (CR40977)
After you run the OTCU to convert your 4.5.x or 4.6.x configuration to a 9.x configuration, you cannot view the monitors on pool members until after you run the bigpipe load command twice, from the command line. Alternately, you can reboot the system.

Configuration utility: Re-running the Setup Utility and VLAN configuration error messages (CR42790)
When you rerun the Setup Utility and use the Basic Configuration Wizard (which sets up the default internal and external VLANs), the configuration must follow the following guidelines. If the configuration violates one of these conditions, you see error messages, and cannot complete the configuration.

No more than one non-floating IP may be associated with VLANs named external or internal.

No more than one floating IP may be associated with VLANs named external or internal.

The self IP addresses associated with the VLANs internal and external must use one of the following port settings: Allow Default, Allow 443, Allow None.

The bigdb variable Statemirror.IPAddr must match the internal self IP.

A VLAN group may not be named external or internal.

A trunk may not be configured on VLAN external or internal. The default route must be of type Gateway.

Failover and virtual servers with a OneConnectTM profile, an HTTP profile, and connection mirroring enabled (CR43517)
In a redundant system, if the active unit fails over, and the configuration contains virtual servers with a OneConnect profile, an HTTP profile, and connection mirroring enabled, the failover process does not properly mirror the server-side OneConnect connections to the failover unit.

Link activity lights on the BIG-IP 3400 (C62) platform (CR43570)
On the BIG-IP 3400 platform, if you have trunks configured, the link activity lights on the front panel may not properly indicate link activity (turn green).

Configuration utility: Changing the refresh interval on the Preferences screen applies the change only to statistics screens not viewed yet (CR43613)
In the Configuration utility, on the System > Preferences screen, if you change the Default Statistics Refresh interval, view some statistics screens, and then change the Default Statistics Refresh interval again, the system applies the second update only to those statistics screens that you have not viewed yet.

Attempting to use bigpipe immediately following the bigstart restart (CR44091)
After you run the bigstart restart command, the BIG-IP system takes a minute to initialize. If you run this command, you should wait at least a minute for the system to re-initialize before running additional bigpipe commands.

The BIG-IP system caches unreachable IPv6 destinations regardless of IPv6 route updates (CR44109)
A problem may occur where the BIG-IP system caches an unreachable IPv6 destination. This problem might occur if you add the wrong default route, delete it, and change to the correct route, only to find traffic fails to reach the destination.

FTP data channel with Layer 7 FTP connections and non-equal MTUs (CR44165)
Non-equal MTUs may cause Layer 7 FTP connections to stall. If you are using a switch to negotiate the MTU with the BIG-IP system, this is not likely to happen.

Fast L4 profile: Reset on timeout disable and the idle timeout value (CR44261)
Changing the Reset value on the timeout option to disable appears to change the idle timeout value. However, this affects only the value displayed by the system, not the system setting and the functionality of the system.

IPv6: Transparent monitors(CR44388, CR44407, CR44408)
The current IPv6 implementation does not support transparent monitors.

Allowing specific UDP ports (CR44590)
You cannot add a specific UDP port to the allow list that includes the allow default setting. To add specific UDP ports to the allow list, remove the allow default setting and add each UDP port you want to add to the allow list.

Supported MTU for BIG-IP systems and IPv6 (CR44733)
The minimum supported MTU for BIG-IP system using IPv6 is 1280.

Error when swapping RADIUS server keys during a re-load after swapping the server IP addresses (CR44769)
You may see an error when you attempt to swap RADIUS server keys during a configuration reload. You can work around this problem by unconfiguring one of the servers before redefining the other.

Brackets in commented sections of rule syntax (CR44839)
Brackets in commented sections of rule syntax are counted in the bracket count. We recommend that you balance the brackets in the comments.

NAT and ICMP (CR44849)
Currently, NATs do not forward ICMP packets.

Configuration utility: Load Balancer Limited and the Fast L4 profile (CR44866)
The BIG-IP Load Balancer Limited product does not provide the ability to create or edit a Fast L4 profile.

Restoring a configuration and overwriting SSH keys (CR45173)
UCS files back up and restore host and root SSH keys, but there are many situations where these keys are stale, and break communications with the SCCP host subsystem.

Validating routes (CR45212)
Currently the system does not fully validate route configurations, and it is possible to add a route to the configuration for which the gateway router is on the destination network.

SNAT translation addresses and idle timeout values (CR45352)
If you create a SNAT that is not associated with a virtual server, and the idle timeout of the translation address is indefinite, the system uses the default timeout defined in the Fast L4 profile (300 seconds). Also, creating a default SNAT with an idle timeout value lower than the Fast L4 timeout value can cause problems.

Using automatic licensing and errors in the Configuration utility (CR45369)
In the Configuration utility, when you select Automatic option for licensing, if the system cannot communicate with the F5 Licensing Server, the system generates a major application error. To work around this issue, close the current browser session, open a new session, and select the Manual option instead. Note that this happens only in rare instances.

Display discrepancies between Configuration utility and bigpipe for SSL profile setting (CR45537)
On the SSL Profile screen, select the Renegotiate Period option and leave it at the default setting, Indefinite. When you view the same setting in the bigip.conf file, you see this number, 138635524 (which equates to 4.396 years), instead of indefinite.

Application Accelerator: Logging options display for unavailable features (CR45546)
In the Configuration utility, on the System > Logs > Options screen, you see logging options for the Packet Velocity ASIC. This feature is not available on the Application Accelerator product.

Acceptable characters in SSL certificate names and common names (CR45721, CR45722)
If you create a certificate name or common name that uses invalid characters (for example asterisk, comma, question mark, exclamation, forward slash, ampersand), the system generates an error message that is incorrect. The error message states that these characters are valid, however the only acceptable characters are alphanumeric characters, hyphen, and underscore.

Generating SSL certificates and keys and Configuration utility errors (CR45725)
If you try to generate an archive file for SSL certificates and keys, and you do not type a name for the file, the system generates an error. If you then add a name and click the Generate and Download button, the system saves the file but the Configuration utility remains in the error state. Simply click Cancel after you have saved the file, which returns you to the SSL Certificate list screen.

Empty list notation in iRules in the Configuration utility (CR45767)
In the Configuration utility, on the iRules screen, you can currently specify an empty list with the following notation: {}. The configuration does not load properly with this syntax (no space between the braces). The correct syntax is as follows: { }. Note that the space is required.

Importing non-FIPS keys into a FIPS system (CR45853)
If you import non-FIPS keys to a FIPS system, and then convert the non-FIPS keys to FIPS keys, the system continues to use the non-FIPS keys until you restart the TMM process. You can perform this task from the command line, by typing bigstart restart.

VLAN groups and active/standby redundant systems (CR45867)
If you have an active/standby redundant system that uses VLAN groups for Layer 2 (L2) bridging, when the active unit goes to standby, it may continue to forward L2 packets.

The radvd utility and restarting or rebooting the system (CR45882)
In rare circumstances, the radvd utility may start too early when you restart or reboot the system. As a result, the utility does not properly advertise routes. If you experience this issue, simply restart the radvd utility, on the System > Services screen in the Configuration utility.

IM upgrades and modprobe dependencies error messages (CR45885)
When you upgrade your system using the IM upgrade process, you may see the following error message when the system starts the automatic reboot, after the installation completes:

modprobe: Can't open dependencies file

You can ignore this error; it is benign.

IM upgrades and kernel journaling error messages (CR45970)
When you use the IM upgrade process, you may see kernel journaling error messages on the console after the installation completes. The error messages are benign and can be ignored.

Creating vlans with period in the name (CR46028)
Using the sysctl -a command prints the /proc/sys file system. This command displays the information about each file under the tree as if it were a variable separated by period (.). It also translates the forward slash (/) into a period. When you create a VLAN with a period in the name, sysctl translates that into a forward slash (/), but then cannot read the file name it just created.

Configuration utility: white space in imported certificates (CR46150)
Currently, white space in imported certificates is not handled correctly. Certificates with extra whitespace after the begin certificate or before the end certificate statements are rejected.

Virtual Server - No Nodes Available trap and log message (CR46596)
The No Nodes Available trap and log message do not exist in BIG-IP version 9.x. Currently, when all nodes in a virtual server are marked down, a message is logged for each pool member of the virtual server. For example, you might see a message like this for each member of a pool on the virtual server:

BIG-IP system behavior when the product license expires (CR46636)
Currently, when the product license expires on the BIG-IP system, it does not fail over to a peer system with an active valid license.

Creating a wildcard virtual server without the virtual address entry (CR46657)
If you create a wildcard virtual server without a virtual address entry (0.0.0.0) with ARP disabled, ARP is set to enabled when the configuration is saved. After you create the wildcard virtual server, you can change the ARP setting back to disabled.

Changing an existing pool into a gateway failsafe pool (CR46870)
To change an existing pool into a gateway failsafe pool, you must first delete the existing pool and recreate it as a gateway pool type.

bigtop utility and failover (CR47361)
If you are running the bigtop utility on an active unit, and then the system fails over, you need to restart bigtop to refresh the bigtop statistics.

SSL certificates: native serverssl stack does not support client-side certificates (CR47702)
When using Server SSL (SSL re-encryption) and the node requests a client certificate, the BIG-IP system does not send a client-side certificate. To work around this issue, specify ALL as the cipher in the server SSL profile.

SSL session ID persistence breaks on re-handshake (CR48114)
Session ID persistence is unaware of mid-connection renegotiations. This may cause new persistence entries not to be added for a new session ID if there are any negotiated in the middle of a connection.

Trailing whitespace on Tcl if statement and line continuation of else (CR48213)
Any trailing white space in a Tcl statement breaks the line continuation of the rule statement. To avoid this problem, remove any white space at the end of each line of the Tcl statement.

Deleting select ports from a multi-port mirror configuration (CR48376)
You cannot delete select ports from a multi-port mirror configuration. You must delete the entire multi-port mirror configuration and reconfigure it with a new port list.

LCD reports active while the command line prompt states the system is inoperative (CR48409)
The LCD can report only three types of system status: Active, Standby, or Standalone. If the system is in a different state, it may not be reported on the LCD screen.

RADIUS: white space in the client ID (CR48453)
Blank spaces in RADIUS client IDs are not supported by the system. Any part of the ID that appears after the blank space does not display correctly.

Configuring multiple RADIUS server objects that use the same server IP address and port (CR48464)
You cannot configure multiple radius server objects that share the same server IP address and port.

System unavailability due to low memory (CR48465)
In certain low-memory situations related to Packet Velocity ASIC (PVA), the system can become unavailable.

Loading large external classes (CR48489)
Loading an external class file with more than 100,000 kilobytes of data may cause the system to become unstable.

TCP::collect implicitly holds the accepted event (CR48592)
The TCP::collect command is not appropriate for some protocols where the server sends data first, such as banner protocols.

System unavailability due to memory depletion (CR48594)
When processing an extremely high number of connections per second (approximately 30,000), with very large window sizes for compression, the system can run out of memory, causing a system failure. Occurrence of this event is highly unlikely.

Support for link down time on failover (CR48728)
For BIG-IP 520/540 (D35) systems that make use of VLAN groups, the Link Down Time on Failover feature is unsupported

BIG-IP system now uses UTC time for hardware (CR48737)
After upgrading the system from BIG-IP version 9.1, you may receive timestamp errors when you install a saved BIG-IP version 9.1 UCS file. These errors are benign. The system clock will correct itself.

Using the base FastHTTP profile (CR49182)
Once you configure the BIG-IP system to use the base FastHTTP profile, the profile continues to prime server-side connections, even if there are no virtual servers currently configured to use the FastHTTP profile.

Misconfigured iRule can cause TMM to restart (CR49375)
If an iRule is not configured to use the variable name form to access the class or data group (matchclass or findclass), then TMM restarts.

Checking product version when licensing features. (CR49435)
When you request licensing for additional modules, the license server does not check that you are running a product version that supports those modules.

drop and reject commands for UDP traffic (CR49445)
When processing UDP traffic, the system does not always handle the iRule commands drop and reject properly.

ssldump utility on BIG-IP 1000 platforms (CR49446)
On BIG-IP system 1000 platforms only, the TMM service can become unavailable due to a problem with the ssldump utility.

Using the FastHTTP profile header insert option (CR49530)
The FastHTTP profile's header insert option does not perform a variable expansion in its configured header insert. For example, [IP::client_addr] is inserted literally. Although this is inconsistent with the HTTP profile, this was done to increase HTTP performance. To configure the FastHTTP profile to insert the original client IP address as a standard XForwarded-For header value, modify the FastHTTP profile and enable the XForwarded-For header option. Additionally, FastHTTP supports the HTTP_REQUEST iRule event as well as the HTTP::header insert rule command, which you can use to insert arbitrary HTTP headers.

Configuration load message about VLANs (CR50019)
Loading a new configuration over an existing one can generate a message when the two configurations include a VLAN with the same name but different interfaces assigned to them.

Mirroring data between units in a redundant pair (CR50330)
If the configurations for both units in a redundant system do not match, it can cause state mirroring to fail and result in general system instability.

Deleting system authorization iRules (CR50407)
You cannot delete system authorization iRules. If you attempt to use the delete checkbox next to a system authorization iRule in the iRule List, you receive an error.

Creating VLANs with dashes ( - ) in the name (CR50441)
The Linux router advertisement daemon (radvd) cannot process an interface name containing a dash ( - ). To avoid errors, verify that the VLAN name, on which radvd is enabled, does not contain dashes.

Exporting SSL Keys on a BIG-IP 6400 FIPS system (CR50553)
If you attempt to export a non-FIPS SSL Key on a BIG-IP 6400 FIPS system, BIG-IP system returns a Cannot export FIPS keys error. There is no workaround.

Installing BIG-IP version 9.2.2 on a system with an unformatted boot drive (CR50733)
When installing BIG-IP version 9.2.2 on a system that contains a boot drive that has not been formatted, or was formatted by an installation of BIG-IP version 4.x, the BIG-IP system returns the following error: 4.x upg : sfdisk: ERROR: sector 32164 does not have an msdos signature. This message is benign and has no affect on the installation.

Settings for tcp_timestamps (CR50852)
If you have previously turned off tcp_timestamps, you may have to re-disable tcp_timestamps by adding the following line to /etc/sysctl.conf:

net.ipv4.tcp_timestamps = 0

Loading a new BIG-IP configuration (CR50872)
If you try to load a new configuration that eliminates a network object referenced by another network object in the previous (currently-loaded) configuration, BIG-IP returns an error. To work around this issue, remove from the previous configuration the reference to the object that is eliminated in the new configuration, and then load the new configuration. For example, if in the previous configuration a VLAN is referenced by a VLAN group, and that VLAN does not exist in the new configuration, you must remove from the VLAN group the reference to the eliminated VLAN, before you load the new configuration.

Maximum header size (CR50924)
The BIG-IP system resets a connection it receives in a packet with a segment size higher than the maximum header size, when the maximum header size is set to a value that is less than the maximum segment size (MSS). The BIG-IP system resets the connection under these conditions, even if the packet contains some or all of the body.

Interrupted TCP connections are aborted unnecessarily (CR51197)
If an ARP or NDP entry times out or the peer is not responding, the connection aborts. These connections should only abort when the system is unable to establish a connection.

Reuse of HTTP client connections (CR51406)
Allowing infinite reuse of HTTP client connections can cause problems. To prevent this, verify that you have specified a value for the Maximum Requests setting in your HTTP profiles.

Licensing a system that was upgraded from BIG-IP system version 4.6.2 (CR51472)
After you upgrade the BIG-IP system from version 4.6.2 to 9.2.2 and open the Configuration utility to license the new system, the License screen fails to automatically display the 9.2.2 registration key. If this occurs, populate the registration key field manually.

Gratuitous ARP messages sent on disabled virtual server (CR51833)
The system sends a gratuitous ARP message during failover, when the virtual server is disabled.

Trunk statistics (CR51893)
Statistics for trunks do not display properly.

Preferred active status and long-lived mirrored connections (CR52003)
If you reboot a BIG-IP unit that has preferred active status enabled (Failover.ForceActive=enabled), the peer unit does not continue to mirror the existing long-lived mirrored connections while the preferred active unit is inactive. This results in dropped long-lived mirrored connections.

Remote RADIUS authentication (CR52073)
When you configure the system to use remote RADIUS authentication, the system also authenticates local users. This is by design.

Display of additional SSL TPS in Configuration utility (CR52164)
The License screen within the Configuration utility does not display the correct amount of additional SSL TPS licensed for that system.

Modification of destination address for custom transparent monitor (CR52255)
After creating a custom monitor with Transparent mode set to Yes, you cannot modify the Alias Address and Alias Service Port properties.

LDAP authethentication configuration object (CR52300)
When you create an LDAP authentication configuration object, the User Template and Bind Password setting should be mutually exclusive. You should define one setting or the other, but not both.

Harmless progress messages during product installation (CR52337)
If you initiate the Installer application using a local-install IM package, some of the progress messages might incorrectly refer to a remote installation process, that is, one that requires an installation server. For example, the output of the boot loader application might temporarily list the entry remote-install-<x>. Although incorrect, these references to a remote installation are harmless.

Error message regarding externally-stored classes when loading configuration data (CR52507)
If you are running the One-Time Conversion Utility (OTCU), and a UCS file includes an externally-stored class with a line containing an invalid netmask (such as 255.25.255.0), the bigpipe utility reports an error. In this case, you must find the external file, manually correct the error, and reload and save the configuration data.

Redefining routes when assigning a MAC masquerade address for a VLAN (CR52602)
When you assign a MAC masquerade address to an existing VLAN, Linux automatically drops any existing static routes pertaining to the interfaces associated with that VLAN. To correct this problem, redefine the static routes using the bigpipe route command, or run the bigstart restart command.

Slow Ramp Time setting for pools (CR52670)
When creating a load balancing pool, the Slow Ramp Time setting is required. Failing to specify a value causes automatic use of an incorrect value.

Mirroring connections to IPv6 nodes (CR52696)
When mirroring connections to a load balancing pool that contains both IPv4 and IPv6 pool members, only the connections to IPv4 nodes are mirrored. Connections to IPv6 nodes are not mirrored.

Display of SSL profile options (CR53196)
When using the Configuration utility to display an SSL profile, some settings do not appear when the certificate name has a .pem file name extension instead of a .crt extension.

Using the trunk command on the BIG-IP 6800 platform (CR53254)
On a 6800 (D68) platform only, when using the bigpipe trunk command to create a trunk, the trunk can fail to pass traffic after you add the first interface to the trunk. To fix the problem, type the following command: bigstart restart bcm56xxd

Behavior when attempting to load a non-existent configuration file (CR53396)
When you type the command bigpipe load <filename>, the system reloads the full configuration if the specified file does not exist, and does not generate an error message.

SSL certificate and key names (CR53446)
SSL certificate and key file names that include square brackets ([]) remain in the configuration data even when excluded from an archive. You must use the command line interface, and not the Configuration utility, to remove these certificates and keys from the configuration.

The user interface does not allow you to install an encrypted ucs when the config.encryption flag is set to off (CR54052)
If you disable encryption, you will be unable to install an encrypted ucs file into the system. This issue is resolved by activating the encryption option, and then installing the file.

RAMCACHE: empty URI excludes list causes everything to be cached (CR54077)
If you have an empty URI excludes, the system will cache everything possible. You can work around this by creating an iRule that defines what items should be cached.

When rotating log files, the Tomcat service must restart (CR54081)
In the event that the destination for Tomcat log files becomes full, the system automatically rotates log files to ensure that the most recent data is captured. However, Tomcat requires a restart each time it rotates a log file. This issue is resolved by ensuring there is adequate hard disk space for Tomcat, or by archiving log files on a scheduled basis.

User interface cannot install ucs files using special characters (CR54141)
When creating a ucs file, the command-line interface allows you to include special characters. However, these characters are not supported in by the Configuration utility, resulting in the Configuration utility being unable to install the ucs file. This issue is resolved by avoiding special characters when creating ucs files.

Connection limit for priority activation groups (CR54291)
When a priority group within a pool reaches its connection limit, the next connection does not move to the next-highest priority activation group.

Cookie persistence profile settings (CR54410)
For cookie persistence profiles in which the Cookie Method setting is not set to Cookie Hash, the system should not display the settings Mirror Persistence, Match Across Services, Match Across Virtual Server, and Match Across Pools, but does. You should ignore these settings.

User role for accounts on remote authentication servers (CR54412)
When you change the default user role for accounts that are authenticated remotely, the user role for user accounts labeled as Other External Users does not change accordingly.

ZebOS and MD5 interoperability (CR54440)
On systems running both the ZebOS module and MD5, a race condition can occur when using the MD5 signature settings within a TCP profile. We recommend that you refrain from using the MD5 signature settings within a TCP profile.

Error message on non-Cavium systems (CR54443)
During a local installation, the system erroneously inserts the error message modprobe: modprobe - Can't locate module char-major-240 in the var/log/daemon.log file. This occurs on non-Cavium systems only.

Enabling or disabling ConfigSync encryption (CR54446)
If you previously enabled encryption of configuration synchronization data and want to disable it using the Configuration utility, make sure that you first disable encryption using the Encryption setting on the ConfigSync screen. Then use the Preferences screen to set the Archive Encryption setting to Off. Doing these steps in this order prevents the occurrence of unexpected encryption behavior.

ARP requests and the management port (CR54468)
On a 6800 platform, packets sent through the external management port become corrupted and the system can no longer send ARP requests.

iControl and configuration synchronization (CR54587)
iControl does not indicate an exception if configuration synchronization does not succeed.

Media type on the 8400 platform (CR54835)
On the 8400 platform, setting the media type on SFP fiber ports causes a brief loss of link. This can cause the upstream switch to flush its ARP entry for the BIG-IP system.

LTM responds incorrectly on 302 responses into http/compress profile (CR54923)
The LTM will occasionally respond incorrectly when a 302 error is received into an http/compress profile. The exact behavior depends on the LTM configuration. To resolve this issue, add an iRule that avoids compression when a 302 error is received.

PVA: virtuals with unmatched MTUs (CR55240)
If you have VLANs with different MTU sizes, you should manually demote virtuals or set db variable Pva.Acceleration to none. An alternative is to set acceleration on a per-virtual basis using the FastL4 profile.

tcpdump utility on Packet Velocity ASIC 10 systems (CR55498)
When using the Linux tcpdump utility to see TCP packets on a VLAN, the utility does not produce expected results on BIG-IP systems that include the Packet Velocity ASIC (PVA) 10 feature. Note that the tcpdump utility works on interfaces or external trunks on PVA10 systems.

Cipher List setting in HTTPS monitor (CR55875)
When users other than admin use the Configuration utility to display an HTTPS type of monitor, the value of the Cipher List setting is truncated.

Mirroring of Layer 7 connections (CR55926)
After failover has occurred, the BIG-IP system does not re-mirror any mirrored Layer 7 connections.

Image selection after discard (CR55997)
On a 6400 platform, when you boot an image and then select that image to be discarded, the system does not require you to select another image. To work around this issue, you can use the switchboot utility to specify the default image to which you want the system to boot during startup.

Loss of links on SFP modules (CR56019)
For D62/C62 systems, the system sometimes does not detect the loss of a link on SFP modules that are set for autonegotiation.

Partial ACKs can result in TMM issues (CR56110)
When a mirrored connection receives a partial ACK and the data being ACKd has not passed through TCP4 yet, TMM may generate warnings, as there may be insufficient data in send queue to drop. There is no workaround for this issue.

Receiver side SACK report can contain stale information (CR56169)
During normal operations, the receiver side SACK report can contain stale information. There is no workaround for this issue.

Non-existent last hop pool and virtual server (CR56234)
You should not be able to assign a pool of last hop routers to a virtual sever when that pool does not exist but currently the system allows it.

Non-existent clone pool and virtual server (CR56238)
You should not be able to assign a clone pool to a virtual server when that clone pool does not exist but currently the system allows it.

ConfigSync User passwords (CR56405)
When you use the command line interface to change the ConfigSync User password on a unit of a redundant system, the BIG-IP system should display a reminder to change the password on the peer unit. However, it currently does not. For configuration synchronization to succeed, the passwords on the two units must match.

Rule setting for authentication profiles (CR56510)
When the system displays the New Authentication Profile screen for a specific type of profile and you change the Type setting to a different profile type, the value of the Rule setting does not change accordingly. You must explictly change the value of the Rule setting to match the newly-selected profile type.

Saving Syslog-ng data (CR56679)
When you create a .ucs file, the saved configuration data does not include the Syslog-ng configuration file, /etc/syslog-ng/syslog-ng.conf. Consquently, restoring the saved configuration does not restore any Syslog-ng configuration changes that you made prior to saving the data.

Stats profiles and the bigpipe utility (CR56708)
When using the bigpipe virtual to assign a Stats profile to a virtual server, the system does not automatically assign the necessary TCP profile. To work around this, either use the Configuration utility to create the virtual server and assign the Stats profile, or specify a TCP profile name on the bigpipe virtual command line.

Time zone specification after configuration synchronization (CR56739)
When you perform a configuration synchronization from one unit of a redundant system to another, the BIG-IP system assumes that the target unit is in the same time zone as its peer. The system therefore overwrites the time zone of the target unit with the time zone of the peer unit.

SSL connection on BIG-IP version 9.0.5-to-9.1.1 systems (CR56742)
For BIG-IP version 9.0.5 systems that have been upgraded to version 9.1.1 and include a FIPS card and a Client SSL profile assigned to a virtual server, the system inadvertantly terminates client SSL connections.

Prefer Fixed setting on copper and fiber cables (CR56810)
When both a copper and SFP fiber connection are used between two similar combo ports of two BIG-IP 8400 platforms, and the Prefer Fixed copper medium is selected as preferred on both ends, the SFP fiber becomes and remains active following system initialization.

Virtual servers and SSL profiles (CR56817)
If you assign an SSL profile to a virtual server a message about an FTP profile may appear. This message is benign.

Performance and mirrored connections (CR56874)
On certain BIG-IP system platforms, a heavy traffic load (such as 100 megabytes of HTTP traffic) could adversely affect performance when the connections are being mirrored to the peer unit.

Media setting for management interface (CR56897)
If you set the media setting of the management interface to something other than auto (the default setting), and then save the configuration, remove the interface configuration data from the bigip_base.conf file, and reload the configuration data, the media setting for the interface does not reflect the default setting. The interface retains its previous media setting.

Passing traffic on newly-active system (CR56902)
After you configure the BIG-IP system, save the configuration, and restart the system using the bigstart restart command, the system indicates that it is active. However, you might experience a slight delay, from a few seconds to a minute, before the system begins to pass traffic.

Link status on peer system (CR56905)
When you disable a combo port, the link light turns off on the BIG-IP system. However, the link is not down on the peer system.

Online help for the Routes screen (CR56960)
The Configuration utility does not display the online help for the Routes screens.

Display of time zone in log messages (CR57033)
When you use the Configuration utility to change the time zone on the BIG-IP system, any log messages resulting from creating a pool or an archive show the previously-defined time zone. You can synchronize the new time zone and the subsequent log messages by using the bigstart restart command.

Configuration synchronization and remaining files (CR57245)
When configuration synchronization does not succeed, several files remain on the system in the /var/tmp directory instead of being automatically deleted.

The iRule SSL::session_id command (CR57248)
When you use the iRule command SSL::session_id to specify an SSL session ID, and that session ID includes a null character, the session ID is truncated.

TMM memory allcation restrictions and iRules (CR57252)
If an iRule attempts to buffer more than four megabytes of data into a TCL variable, the TMM service could become unavailable. This is due to a 4-megabyte TMM restriction on contiguous memory allocation.

Node status on removal of ICMP monitor (CR57256)
When you remove the ICMP monitor from a node, the node status should show that the node is not being checked.

Source and Target settings in Stream profiles (CR57307)
In a Stream profile, you cannot use the slash (/) character when specifying values for the Source and Target settings.

Upgrading from a newer to an older version (CR57354)
When using the im script to upgrade a local BIG-IP installation from a newer version to an older version, you must specify the -force argument.

EUD does not adequately isolate external connections (CR57360, CR57362)
When the EUD runs, it assumes that there will be no external traffic in or out of the BIG-IP system, but external peers can still detect link connectivity and send traffic to the BIG-IP system. This can cause the EUD internal packet path test to fail.

FastL4 profile reset on timeout (CR57425)
When you disable the Reset on Timeout setting on a Fast L4 profile and specify an Idle Timeout value, the BIG-IP system still sends a reset (RST) packet and deletes the connection after the specified idle timeout value has expired.

IP multicast addresses and VLAN groups (CR57426)
When a VLAN is member of a VLAN group and the VLAN receives IP packets with a multicast destination address, the BIG-IP system does not copy those packets to the host. This can affect communication for local services using protocols that rely on IP multicast addresses (for example, OSPF and RIP v2).

Interface statistics and trunks (CR57478)
When you remove an interface from a VLAN and assign the interface to a trunk, the trunk inherits the statistics of the interface in the VLAN. The trunk should show new statistics rather than inheriting them from the interface.

Load sharing by 10-gigabit interfaces in a trunk (CR57479)
After you add a 10-gigabit interface to a working trunk that has another 10-gigabit interface, the load is not shared between both interfaces. Restart the lacpd service to fix the problem.

MCP validation improperly allows a virtual server to reference an incomplete base auth profile (CR57482)
Such profiles (for example, a stock ssl_ocsp profile without the config attribute set) should not be referenced by a virtual server.

Missing certificate credential triggers AUTH_FAILURE event for SSL-certificate auth methods (CR57483)
The auth subsystem does not treat an empty certificate credential message as an indication that this credential is absent.

LDAP mandatoryattrs paramater set to yes (CR57524)
An LDAP monitor with mandatoryattrs set to yes can erroneously assume that the attributes were returned if the LDAP server only returned referrals.

Link transmission status for media types (CR57564)
A disabled 10 Gigabit Ethernet interface on a 8400 may still indicate link up to its partner switch, which results in the link down on failover feature not working properly.

SNAT continuously uses the same SNAT pool member (CR57636)
When you implement SNAT, the system uses the same SNAT pool member; it does not load balance between other pool members that might be available. To work around this issue, create multiple floating self IP addresses that the the virtual server can use. Then, configure the virtual server to use the automap setting for the Translation option, located on the properties page for the virtual server.